Multi-factor authentication techniques in ADSelfService Plus
Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication.
Why multi-factor authentication?
Authentication based solely on usernames and passwords is no longer considered secure. Password-based authentication alone leaves user accounts vulnerable to threats like brute-force and dictionary attacks. To mitigate such security risks, ADSelfService Plus verifies users' identities using multi-factor authentication along with the default Active Directory credentials. ADSelfService Plus uses multi-factor authentication for identity verification during:
Various authentication techniques available in ADSelfService Plus
- Fingerprint/Face ID authentication: Users with mobile devices containing a fingerprint or Face ID sensor can use this method for identity verification. Enrollment is performed using the ADSelfService Plus mobile app. The steps to enroll are displayed under the Enrollment tab once the administrator configures this method. During multi-factor authentication, users have to scan their fingerprints or their face and click Accept for successful authentication.
- YubiKey Authenticator: YubiKey is a hardware device that uses codes for multi-factor authentication. Enrollment is done by either plugging the YubiKey device into the workstation and pressing its button (in the case of the ADSelfService Plus end-user portal) or tapping it against the mobile device (in the case of the ADSelfService Plus mobile app). When this is done, the code is automatically updated in the field provided in ADSelfService Plus. Users have to follow the same steps to verify their identity during multi-factor authentication.
- RSA SecurID: RSA SecurID is another method that uses passcodes for multi-factor authentication. For enrollment, users enter the passcode provided by the administrator. Then, to prove their identity, users enter a one-time passcode generated via:
- A hardware token.
- The RSA SecurID mobile app.
- Tokens received by email or SMS.
- Duo Security: Duo Security is an authentication solution that uses methods like:
- SMS-based verification codes.
- Phone call-based verification.
- App-based verification codes.
- Push notifications.
Once configured, users have to either enter a code that they receive or accept a notification to authenticate themselves. For enrollment, users are required to mention which method they will be using for multi-factor authentication.
- Azure AD multi-factor authentication: Organizations with Azure Active Directory multi-factor authentication already enabled can use the existing configuration and let users authenticate through the pre-enrolled authentication methods in Azure Active Directory. Supported methods include:
- Microsoft Authenticator app-based push notifications.
- Microsoft Authenticator app-based verification codes.
- Phone-call-based verification.
- SMS-based verification.
- OATH hardware tokens using Yubico, DeepNet Security, and more.
- RADIUS: RADIUS uses passcodes for multi-factor authentication. Users are automatically enrolled when the administrator configures RADIUS authentication. For multi-factor authentication, they simply have to enter the RADIUS password provided by the administrator.
- Google Authenticator: Google Authenticator is an app that uses timed codes for authentication. To verify user identity, the app generates a timed code that the users will have to enter to authenticate themselves. Users have to enroll by using the app to scan the QR code displayed under the Enrollment tab in the ADSelfService end-user portal.
- Microsoft Authenticator: The Microsoft Authenticator app generates a timed code that the users will have to enter to authenticate themselves. For enrollment, users have to install the Microsoft Authenticator app and configure it with ADSelfService Plus using the bar code given in the self-service portal under the Enrollment tab.
- SMS-based verification code: For this method, users have to enter a one-time code sent to their mobile device to verify their identity. Administrators can either choose the mobile number from the users' Active Directory profiles, or let the users specify another number while enrolling.
- Email-based verification code: In this method, a one-time code is sent to the user's email address. Administrators can either choose the email address from the users' Active Directory profiles or let the users specify another email address while enrolling.
- Time-based one-time password (TOTP): TOTP-based authentication is also performed using the ADSelfService Plus mobile app. After enrollment, authentication is performed similar to the methods mentioned above: Users receive a TOTP every time they have to prove their identity. They have to enter the TOTP within a specific period of time to authenticate themselves.
- Custom TOTP authenticator: Custom TOTP apps used by organizations can also be extended as an authentication method for ADSelfService Plus' multi-factor authentication feature. The enrollment process will depend on the app's capabilities. To authenticate, users will have to enter the TOTP displayed on the app in the field provided in the product portal within the specified time.
- Zoho OneAuth TOTP: Zoho OneAuth is an app that offers multi-factor authentication and single sign-on for enterprise accounts. The app's TOTP feature can be leveraged by ADSelfService Plus and used as an authentication method. To enroll, users need to scan a QR code displayed in the product portal using the Zoho OneAuth app. Once enrolled, they can authenticate by entering the TOTP displayed on the app in the field provided in the portal within the specified time.
- Push notifications: Push notifications are received through the ADSelfService Plus mobile app installed in the users' mobile devices. Enrollment can only be done through the mobile app. The steps are mentioned under the Enrollment tab after the administrator enables push notifications. Once enrolled, users receive a notification that they need to accept in order to prove their identity.
- QR code-based authentication: When this method is enabled, users have to scan the QR code displayed in the ADSelfService Plus end-user portal using the ADSelfService Plus mobile app and select Accept to prove their identity. Users can enroll using the app by following the steps displayed under the Enrollment tab.
- SAML authentication: Organizations that already use SAML-based identity provider (IdP) applications such as Okta or OneLogin can use SAML authentication as a method to verify users' identities. When SAML authentication is enabled, users are redirected to their IdP login URL for authentication only when they perform self-service password reset or account unlock in ADSelfService Plus. Enrollment is not required for this method.
- Smart Card Authentication: This method is applicable only for multi-factor authentication during product portal logins and enterprise application logins. A user is authenticated after ADSelfService Plus compares the certificate file on the user's machine with the one in AD. Enrollment automatically occurs when the user authenticates for the first time.
- Security questions and answers: This method consists of a predefined set of personal questions such as "What is your favorite color?" These questions can be configured by administrators or users. Users can enroll by either defining custom questions and answers or providing answers to administrator-defined questions. They have to provide the correct answer to these questions during identity verification.
- AD-based security questions: In this method, the administrator sets up AD-based questions that are linked to existing or custom AD attributes such as Social Security numbers. To prove their identity, users have to enter an answer that is then compared with the attribute value in AD for their user account. If they match, the user is authenticated. This method does not require user enrollment.
Benefits of using ADSelfService Plus for multi-factor authentication
- Comprehensive enterprise security: Multiple remote and local points of access into the enterprise network can be secured from credential-based attacks.
- Granular feature configuration: Specific authentication methods can be enabled for users belonging to particular OUs, groups, and domains. Certain enterprise endpoints can also be protected with multi-factor authentication depending on these user criteria.
- Regulatory compliance: Multi-factor authentication helps comply with regulations such as the GDPR, HIPAA, NYCRR, and FFIEC.
- Passwordless authentication: Enterprises can forgo Active Directory domain passwords and use only multi-factor authentication to verify user identities.
Need further assistance? Fill this form, and we'll contact you rightaway.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.